CVE-2025-44894
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on affected FW-WGS-804HPT devices via a stack overflow in the RADIUS server configuration function. Attackers can exploit this without authentication to gain full control of the device. All systems running the vulnerable firmware version are affected.
💻 Affected Systems
- FW-WGS-804HPT
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise leading to persistent backdoor installation, network pivoting, credential theft, and disruption of network services.
Likely Case
Remote code execution allowing attackers to modify device configuration, intercept network traffic, or use the device as a foothold for further attacks.
If Mitigated
Limited impact if device is behind strict network segmentation with no internet exposure and proper access controls.
🎯 Exploit Status
The public reference includes technical details that make exploitation straightforward. The vulnerability requires no authentication and has a simple trigger mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: Yes
Instructions:
1. Check vendor website for firmware updates. 2. Download latest firmware. 3. Backup device configuration. 4. Upload and apply firmware update. 5. Reboot device. 6. Restore configuration if needed.
🔧 Temporary Workarounds
Disable web management interface
allDisable the web management interface to prevent exploitation of the vulnerable endpoint
Use device CLI: no ip http server
no ip http secure-server
Network segmentation
linuxIsolate affected devices from untrusted networks using firewall rules
iptables -A INPUT -s [device_ip] -p tcp --dport 80 -j DROP
iptables -A INPUT -s [device_ip] -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit access to device management interfaces
- Monitor for exploitation attempts and implement intrusion detection rules
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface or CLI. If version is v1.305b241111, device is vulnerable.Check Version:
show version | include VersionVerify Fix Applied:
Verify firmware version has been updated to a version later than v1.305b241111📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /web_radiusSrv_dftParam_post endpoint
- Large payloads sent to RADIUS configuration endpoints
- Device reboot or configuration changes without authorized activity
Network Indicators:
- HTTP POST requests with oversized radDftParamKey parameter
- Traffic to device management ports from unexpected sources
- Shellcode patterns in HTTP payloads
SIEM Query:
source="fw-wgs-804hpt" AND (url="/web_radiusSrv_dftParam_post" OR method="POST" AND uri="*radiusSrv*dftParam*")